Our phones hold a plethora of important, private information about our personal lives, and it’s not just their contents that matter: the data that our phones exchange with cell towers during basic connection procedures can reveal critical, and private, information. Perhaps you called the suicide prevention hotline from the Golden Gate Bridge; maybe you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after. The contents of those calls aren’t as secret as you might hope to someone who knows that the calls were made, and when. And just knowing the location a phone was in at a certain time, regardless of whether a call was made, could place someone at a protest—or at the scene of a crime.

While the field of cell network security has been rapidly advancing, there’s also been a significant rise in the exploitation of cell network security bugs by criminals and law enforcement, who are using them to gain access to that private data. Devices known as Cell-Site Simulators (CSSs, a.k.a. Stingrays or IMSI-catchers) are increasingly being used by law enforcement for both dragnet and targeted surveillance; and several years ago we saw the first crackdowns against criminals using cell site simulators on a mass scale to deliver spam.Rightly, there’s been a lot of interest in—and confusion about—what CSSs are capable of. From activists worried about being targeted and tracked, to policy makers concerned about the privacy of their constituents, to technologists interested in learning about the security flaws so that they can deliver fixes, there’s a range in knowledge, though all of these groups have a stake in learning more. But the barrier to entry to the field of cell network security has historically been quite high, even if you already have a technical background. While there’s increasingly more highly technical research into the cell network attack techniques that CSSs rely on, very little exists for the average reader.

To help bridge this gap, we’re publishing “Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks”, an in-depth white paper that explains some of the most relevant cell network attacks from the ground up. The white paper is entirely self-contained, and is meant to make accessible the technical details of the kind of attacks CSSs might rely on. While the contents will be most accessible to technologists, all readers should be able to gain a thorough understanding from it. The paper also addresses many common technical questions that come up when discussing the capabilities of CSSs, such as: what are the different kinds of location tracking attacks, what are the known limits around cell network communication interception, and how does all this actually work?

Given the prevalence of cell phones, these vulnerabilities—and the CSSs that take advantage of them—should not just be a concern for security researchers. We’re all vulnerable. The metadata and data that our phones exchange with cell towers during basic connection procedures is being taken advantage of by third parties to invade our privacy. Demystifying the tech behind these techniques is critical for raising awareness about the issue and finding solutions. We hope you’ll join us.

Related Updates

Recently, Google’s Project Zero published a report describing a newly-discovered campaign of surveillance using chains of zero day iOS exploits to spy on iPhones. This campaign employed multiple compromised websites in what is known as a “watering hole” attack. The compromised websites would automatically run the chain of exploits...

Ever since mid-2017, Apple has been tackling web tracking in a big way. Various iterations of its Intelligent Tracking Prevention (ITP) technology have been introduced over the past few years in WebKit, the browser engine for Safari. ITP already protects users from tracking in various ways, but it left...

The New York Times reported that the Trump administration wants Section 215, the legal authority that allows the National Security Agency to collect Americans’ telephone records, renewed indefinitely. That’s despite earlier reports the NSA had shuttered its Call Details Record (CDR) Program because it ran afoul of...

It's Panama’s turn to take a closer look at the practices of its most prominent Internet Service Providers, and how their policies support their users’ privacy. IPANDETEC, the leading digital rights NGO in Panama, has launched its first "Who Defends Your Data" (¿Quién Defiende Tus Datos?) report. The survey shines...

Doors across the United States are now fitted with Amazon’s Ring, a combination doorbell-security camera that records and transmits video straight to users’ phones, to Amazon’s cloud—and often to the local police department. By sending photos and alerts every time the camera detects motion or someone rings the doorbell, the...

The U.S. Department of Homeland Security (DHS) and one of its component agencies, U.S. Customs and Border Protection (CBP), released a Privacy Impact Assessment [.pdf] on CBP’s practice of monitoring social media to enhance the agency’s “situational awareness.” As we’ve argued in relation to other government social media surveillance...

As the number of migrants at the southern border has surged in the past several months, the Trump administration has turned to increasingly draconian measures as a form of deterrence. While the separation of children from their parents and housing of migrants in overcrowded and ill-equipped holding facilities have rightfully...

After spending nearly a week in Ecuador to learn more about the case against Swedish open source software developer Ola Bini, who was arrested here in April, EFF has found a clear consensus among the experts: the political consequences of his arrest appear to be outweighing any actual evidence the...

Note: Sam Jadali, the author of the DataSpii report referenced in this blog post, is an EFF Coders’ Rights client. However, the information about DataSpii in this post is based entirely on public reports. Last week we learned about DataSpii, a report by independent researcher Sam Jadali about the...